By Nick O’Connell, Firm: KSA Riyadh, Saudi Arabia
This article describes Bahrain’s recent Personal Data Protection Law, which entered into force in August 2019. It sets out the requirements for companies and the criminalisation of certain breaches.
Bahrain’s Personal Data Protection Law (Law No. 30 of 2018) came into force on 1 August 2019, 12 months after its publication in the official gazette. The law is based on a draft produced more than ten years ago, and does not specifically contemplate GDPR. Whether Bahrain will seek to revise this new legislation to be more aligned to GDPR is unclear, but would seem unlikely at this stage.
While many companies active in Bahrain are seeking to comply with the requirements set out in the Personal Data Protection Law, the fact that associated Regulations have not yet been issued makes this difficult. For the moment, and noting our comments below regarding criminal offences, the fact that the Data Protection Authority contemplated in the law has not yet been established provides some comfort in terms of the low practical risk of enforcement.
The Personal Data Protection Law criminalises a variety of acts that would, at most, be the subject of administrative penalties in data protection laws elsewhere. Penalties generally comprise up to one year in prison and/or a fine of between BHD 1,000 and BHD 20,000 (between about USD 2,600 to about USD 53,000) or a fine only in the case of corporate entities. The following are examples of activities that attract criminal penalties under the Law:
- processing sensitive personal data in violation of the provision specifying requirements for processing sensitive personal data;
- transferring personal data outside Bahrain contrary to the provisions specifying requirements for transfers to jurisdictions that provide an adequate level of data protection, and associated exceptions;
- processing personal data without notifying the Authority in accordance with the provision that sets out the obligation to notify the Authority before commencing any data processing activities (except where certain exceptions apply), or failing to update such notification to the Authority;
- processing personal data contrary to the provision that requires prior authorisation from the Authority before processing personal data in certain circumstances;
- providing false or misleading information to the Authority or to a data subject, or withholding relevant information from the Authority, or otherwise hindering the Authority’s work; and
- disclosing any data or information accessed due to work, or using the same for own benefit or for the benefit of others unreasonably and in violation of the provisions of this law.
The Personal Data Protection Law does not specifically provide for data breach notification obligations (either to affected individuals or to the Data Protection Authority), although it is possible that requirements of this nature could be introduced when the Regulations are issued. Otherwise, loss or damage arising out of such events could be captured under other Bahrain law provisions, such as those providing for remedy where someone causes damage to another. Depending on the circumstances of a data breach, it may be prudent to consider notifying law enforcement authorities and affected individuals, although there is no generally applicable legal obligation to do so.